Chapter 2: Core Security Principles and Models
Core Security Principles and Models. Think of this as the “blueprint” chapter—where we learn the foundational rules and philosophies that smart systems follow to stay secure. I’ll explain everything in detail, like we’re sitting together in a café in Airoli, with real-world examples (including some India-relevant ones where possible), analogies, and why these matter in 2025–2026 when AI attacks, cloud everything, and remote work are everywhere.
We’ll cover the four main topics one by one.
1. Security Models (e.g., Bell-LaPadula, Biba, Clark-Wilson)
These are formal, mathematical “rulesets” created decades ago but still super relevant today. They’re like traffic rules for data access—defining who can read/write what, based on sensitivity or trustworthiness. They use Mandatory Access Control (MAC), where the system (not just the user) enforces rules based on labels.
-
Bell-LaPadula (BLP) Model — The “No Read Up, No Write Down” model (from 1970s, made for US DoD). Focus: Confidentiality (prevent leaks of secret info). Key rules:
- Simple Security Property: No read up — A low-clearance person can’t read high-secret files.
- *-Property (Star Property): No write down — A high-clearance person can’t write to low-clearance files (prevents accidental leaks). Levels: Unclassified < Confidential < Secret < Top Secret (with categories like “Nuclear” or “India Defense”).
Real example: In a defense organization in India (like DRDO or CERT-In classified networks), a “Secret” engineer can’t read “Top Secret” missile specs (no read up), and a “Top Secret” analyst can’t accidentally email a report to a “Confidential” inbox (no write down). This stops data from flowing downward and leaking.
In 2025, it’s still used in government/military systems, but combined with modern tools because pure BLP can be rigid (e.g., trusted subjects can sometimes bypass for downgrading).
-
Biba Model — The “No Read Down, No Write Up” model (flips BLP, from 1977). Focus: Integrity (prevent bad/low-trust data from corrupting good/high-trust data). Key rules:
- Simple Integrity Property: No read down — A high-integrity process can’t read low-integrity (untrusted) data.
- *-Integrity Property: No write up — A low-integrity process can’t write to high-integrity data.
Real example: In a banking system, a “high-integrity” transaction server (trusted code) won’t read data from a potentially tampered user input form (low integrity—no read down), and a suspicious external feed can’t update your account balance (no write up). This stops malware or bad inputs from corrupting reliable financial records.
Used in commercial/safety-critical systems (e.g., aviation controls, stock trading platforms). In India, think RBI-regulated banking apps preventing tampered transaction data from messing with core ledgers.
-
Clark-Wilson Model — Commercial integrity model (1987, for businesses). Focus: Integrity through well-formed transactions and separation of duties (prevents fraud/errors even by authorized users). Key ideas:
- Constrained Data Items (CDIs): Critical data (e.g., bank balances) that must stay accurate.
- Unconstrained Data Items (UDIs): Input/temporary stuff.
- Transformation Procedures (TPs): Only approved programs can change CDIs (well-formed transactions).
- Separation of Duties: Certifier (approver) ≠ Implementer (doer).
- Integrity Verification Procedures (IVPs): Regularly check CDIs are consistent.
Real example: In an Indian company’s payroll system (e.g., using SAP/Oracle), only a certified “Update Salary” TP can change employee salary CDIs. HR enters data (UDI), finance approves (separation of duties), and an audit trail logs everything. If someone tries to fake a salary hike, it fails because it’s not a valid TP or duties aren’t separated. This prevents insider fraud—like an employee approving their own bonus.
Super relevant for finance, healthcare, e-commerce in 2025 (e.g., UPI/Paytm transaction integrity).
Quick comparison table (for your notes):
| Model | Focus | Key Rule Phrase | Best For | 2025 Example Use Case |
|---|---|---|---|---|
| Bell-LaPadula | Confidentiality | No read up, no write down | Government/military | Classified defense networks |
| Biba | Integrity | No read down, no write up | Financial/safety systems | Banking transaction integrity |
| Clark-Wilson | Integrity | Well-formed transactions + separation of duties | Commercial/business | Payroll, financial apps, compliance |
These models aren’t used alone anymore—they inspire modern tools like SELinux (Linux), Windows Mandatory Integrity Control, or cloud IAM policies.
2. Defense in Depth and Layered Security
Defense in Depth (DiD) = Don’t rely on one lock—use multiple overlapping layers. If attackers break one, others stop them. It’s like a medieval fort: moat → walls → gates → guards → inner keep.
Layered Security is the practical way to implement DiD—stack controls at different levels.
Common layers (from outside in):
- Physical: Locks, CCTV, security guards (e.g., server room in your Navi Mumbai office).
- Perimeter/Network: Firewalls, IDS/IPS, VPNs (blocks outsiders).
- Endpoint: Antivirus/EDR, patch management (protects laptops/phones).
- Application: WAF, secure coding (stops SQL injection/XSS).
- Data: Encryption (at rest/in transit), DLP (prevents leaks).
- User: MFA, training (phishing awareness—huge in India with UPI scams).
- Monitoring/Response: SIEM, logs, incident response plans.
Real example (2025 style): Imagine a Mumbai fintech startup.
- Perimeter: Cloudflare/NGFW blocks bad IPs.
- If breached: EDR on endpoints detects ransomware behavior.
- If that fails: Encrypted backups + MFA stop data theft.
- User training catches the phishing email that started it.
Even if one fails (e.g., zero-day exploit), others catch it. In 2025, AI-powered threats make single-layer useless—DiD is essential.
3. Zero Trust Architecture Basics
Zero Trust = “Never trust, always verify.” Assume breach—verify every access, every time, no matter where the user/device is.
Core principles (2025 NIST/Forrester style):
- Verify explicitly: Identity + device health + context (location, time, behavior).
- Least privilege: Just enough access, for just enough time.
- Assume breach: Encrypt everything, monitor continuously, segment networks.
Pillars (NIST model): Identities, Devices, Networks, Apps, Data, Visibility & Analytics, Automation.
Real example: In a hybrid work setup in Airoli/Navi Mumbai:
- Employee logs in from home → ZT checks MFA + device posture (patched? no malware?) + behavior (unusual time?).
- Grants micro-access to only one app (e.g., HR portal), not the whole network.
- If suspicious, blocks instantly.
2025 trends: Market exploding ($39B+), focus on browser security, XDR integration, self-healing networks. Replaces old VPNs (too trusting). Big in cloud-heavy India (AWS/Azure users).
4. Risk Management Fundamentals (Identification, Assessment, Mitigation)
This is the ongoing process: Find risks → Evaluate them → Fix/reduce them → Monitor.
Steps (NIST/ISO style):
- Identification: Spot threats/vulnerabilities (e.g., unpatched software, phishing-prone employees, public S3 buckets). Tools: Scans, threat intel, employee reports. Example: Scan finds old Windows vuln used in ransomware.
- Assessment: Rate by likelihood × impact (e.g., high/medium/low). Example: Ransomware on finance server = High likelihood (India attacks rising) × High impact (downtime, fines) = Critical risk.
- Mitigation (Treatment):
- Avoid: Stop risky activity (e.g., disable old protocol).
- Mitigate/Reduce: Patch, add MFA, train staff.
- Transfer: Cyber insurance.
- Accept: Low risk, monitor only.
Real example (2025 India): A small Airoli IT firm identifies phishing risk (high, due to UPI scams). Assesses impact (data theft = high). Mitigates with MFA everywhere + monthly phishing sims. Monitors via SIEM.
Continuous: Re-assess quarterly—threats change fast (AI phishing in 2025).
Analogy: Like health checkup—identify (symptoms), assess (serious?), mitigate (medicine/lifestyle), monitor (follow-ups).
That’s Chapter 2 in full detail! These principles glue everything together for secure systems.
